Obfuscation and Data Encoding
From Unprotect Project
Technique Description
Malware uses obfuscation and data encoding to mask its malicious activities, to fully understand the malware we have to understand these techniques. Sometimes, they will choose simple ciphers or basic encoding functions that are easy to code and provide enough protection. Other times, they will use sophisticated cryptographic ciphers or custom encryption to make identification and reverse-engineering more difficult.
Techniques
Below is a list of all the obfuscation and data encoding techniques in Unprotect Project:
Obfuscation & Data Encoding | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Techniques | Description | ||||||||||||||||||
XOR | The XOR operation is the most common use by malware. This is because it is really easy to use and hide data. Basically a key is used and create the cipher text. XOR is a reversible function that means it uses the same function to encode and decode. | ||||||||||||||||||
Base64 | Base64 is used to represent binary data in an ASCII string. This is a simple encoding and commonly found into malware. | ||||||||||||||||||
Cesar/ROT | The Caesar Cipher is a simply encoding algorithm used during the Roman Empire to hide secret message. | ||||||||||||||||||
ROL | Similar to Cesar cipher, which are simple rotation of the original strings. | ||||||||||||||||||
Crypto | Cryptography is often use in malware to protect against analysis or to perform malicious action (e.g: ransomware). | ||||||||||||||||||
Custom | Malware often uses custom encoding schemes. it could a complete custom one or a different layer of known algorithm (e.g: XOR+Base64). |
References
Practical Reverse Engineering: http://amzn.to/2nY3W9e